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Abstract. In this paper we work on (bi)siniulation semantics of pro- 
cesses that exhibit both nondeterministic and probabilistic behaviour. 
O^ ' We propose a probabilistic extension of the modal mu-calculus and show 

^SJ ' how to derive characteristic formulae for various simulation-like preorders 

over finite-state processes without divergence. In addition, we show that 
even without the fixpoint operators this probabilistic mu-calculus can 
be used to characterise these behavioural relations in the sense that two 
l_J ■ states are equivalent if and only if they satisfy the same set of formulae. 

o 



1 Introduction 

In concurrency theory, behavioural relations such as equivalences and refine- 
QQ ' ment preorders form a basis for establishing system correctness. Usually both 

00 . specifications and implementations are expressed as processes within the same 

framework, in which a specification describes some high-level behaviour and an 
implementation gives the technical details for achieving the behaviour. Then one 
C"~~- ' chooses an equivalence or preorder to verify that the implementation realises the 

^^ , behaviour required by the specification. 

A great many behavioural relations are defined on top of labelled transi- 
tion systems, which offer an operational model of systems. For finitary (i.e. 
finite-state and finitely branching) systems, these behavioural relations can be 
k> , computed in a mechanical way, and thus may be incorporated into automatic 

^ • verification tools. In recent years, probabilistic constructs have been proven use- 

5^ , ful for giving quantitative specifications of system behaviour. The first papers 

on probabilistic concurrency theory [1112119) proceed by replacing nondetermin- 
istic with probabilistic constructs. The reconciliation of nondeterministic and 
probabilistic constructs starts with [T^] and has received a lot of attention in 
the literature [34 30 20 29 I15I21I1I17I24I3I33 "22 8 6 4]. We shall also work in a 
framework that features the co-existence of probability and nondeterminism. 

Among the behavioural relations that have proven useful in probabilistic 
concurrency theory are various types of simulation and bisimulation relations. 
Axiomatisations for bisimulations have been investigated in |1I9| . Logical char- 
acterisations of bisimulations and simulations have been studied in J30I26J . For 
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example, in [30] the probabilistic computation tree logic (PCTL) [13] is used and 
it turns out that two states are bisimilar if and only if they satisfy the same set 
of PCTL formulae. 

In the nonprobabilistic setting, there is a line of research on characteristic 
formulae. The goal is to seek a particular formula Lps for a given state s such 
that a necessary and sufficient condition for any state t being bisimilar to s is 
to satisfy ips [31] . This is a very strong property in the sense that to check if t 
is bisimilar to s it suffices to consider the single formula Lp^ and see if it can be 
satisfied by t. It offers a convenient method for equivalence or preorder checking. 

In this paper we partially extend the results of [31] to a probabilistic setting 
that admits both probabilistic and nondeterministic choice; to make the main 
ideas neat we do not consider divergence. We present a probabilistic extension 
of the modal mu-calculus [I^ (pMu), where a formula is interpreted as the set 
of probability distributions satisfying it. This is in contrast to the probabilistic 
semantics of the mu-calculus as studied in |15I21I22] where formulae denote 
lower bounds of probabilistic evidence of properties, and the semantics of the 
generalised probabilistic logic of 3^ where a mu-calculus formula is interpreted 
as a set of deterministic trees that satisfy it. 

We shall provide characteristic formulae for strong and weak probabilistic 
(bi)simulation as introduced in |30|29j . as well as forward simulation [29] and 
failure simulation ^. The results are obtained in two phases, which we illustrate 
by taking strong probabilistic bisimilarity '^ as an example. Given a finite-state 
probabilistic labelled transition system with state space {si, ..., s„}, we first con- 
struct an equation system E of modal formulae in pMu. 

A solution of the equation system is a function p that assigns to each variable 
Xsi a set of distributions p{Xs.). The greatest solution of the equation system, 
denoted by ve, has the property that Si ~ Sj if and only if the point distribution 
sj is an element of VE{Xsi). In the second phase, we apply three transformation 
rules upon E in order to obtain a pMu formula (p^. whose meaning |(^^ | is exactly 
captured by VE^Xsi). As a consequence, we derive a characteristic formula for 
Si such that Si ^ Sj if and only if sj e If'^-J- 

Without the fixpoint operators pMu gives rise to a probabilistic extension 
of the Hennessy-Milner logic [13] . In analogy to the nonprobabilistic setting, it 
characterises (bi) simulations in the sense that s ~ t if and only if the two states 
s, t satisfy the same set of formulae. 

The paper is organised as follows. In Section [2] we recall the definitions of 
several (bi)simulations defined over probabilistic labelled transition systems. In 
Section [3| we introduce the syntax and semantics of pMu. In Section [3| we build 
characteristic equation systems and derive from them characteristic formulae 
for all our (bi)simulations. In Section[5]we consider the fixpoint-free fragment of 
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pMu which characterises a state by the class of formulae it satisfies. Finally, in 
Section |6] we provide some concluding remarks. 

2 Probabilistic (bi) simulations 

In this section we recall several probabilistic extensions of simulation and bisim- 
ulation [23) that appeared in the literature. 

We begin with some notation concerning probability distributions. A (dis- 
crete) probability distribution over a set 5 is a function A : S* — ?> [0, 1] with 
X;^g5^(s) = 1; the support of A is given hy \A'] = {s € S \ A{s) > 0}. 
We write T>{S), ranged over by A,0, for the set of all distributions over S. 
We also write s to denote the point distribution assigning probability 1 to s 
and to all others, so that [s] — {s}. If pi > and Ai is a distribution for 
each i in some index set /, and J^teiPi ~ 1' then the probability distribution 
EiG/P^ • ^» ^ ^('5') is given by {J2^GIP^ ' A){s) = Ejg/K ' A{s); we wiU 
sometimes write it as pi ■ Ai + . . . + pn • An when I — {1, ... ,n}. 

We now present the operational model that we shall use in the remainder of 
the paper. 

Definition 1. A finite state probabilistic labelled transition system (pLTS) is a 
triple (S*, Act^,— >), where 

1. 5 is a finite set of states 

2. Act,- is a set of external actions Act augmented with an internal action r^Act 

3. ^ C 5 X Act^ X V{S). 

We usually write s — > A for (s, a, Z\) e ^>, s — > for 3A : s — > A, and s —/^ for 
the negation of s — >. We write s —f^ with A C Act when Va e A U {r} : s ~/^, 
and A —/^ when Vs G \A~\ : s —/^. A pLTS is finitely branching if, for each state 
s, the set {(a. A) \ s — > A} is finite. A pLTS is finitary if it is finite-state and 
finitely branching. 

To define probabilistic (bi)simulations, it is often necessary to lift a relation 
over states to one over distributions. 

Definition 2. Given two sets S and T and a relation TZ C S xT. We lift TZ to 
a relation 7^t C V{S) x V{T) by letting AU^ O whenever 

1. A — J2ieiPi ' ^' where / is a countable index set and J2i£iPi — ^ 

2. for each i G I there is a state ti such that Si TZ ti 

3. O = J2^(^JP^■U. 

Note that in the decomposition of A, the states Si are not necessarily dis- 
tinct: that is, the decomposition is not in general unique, and similarly for 
the decomposition of 0. For example, if 7?, = {(si,ii), (51,^2), (52,^3), (^3,^3)}, 
A = ^sT + is2 -I- jSs, and — ^ti + ^^2 + ^ts, then ATZ^ holds because of 
the decompositions A = ^Ji + |sT+ jS2 + 3: S3 and = ^ii -I- ^^2 + jt^ + jt^. 
From the above definition, the next two properties follow. In fact, they are 
sometimes used as alternative methods of lifting relations (see e.g. |30|19) ). 
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Proposition 1. 1. Let A and be distributions over S and T, respectively. 
Then A TV O iff there exists a weight function u; : S* x T — > [0, 1] such that 

(a) ^s&S:Y.t(^T'^(s,t) = A{s) 

(b) ViGT:E.e5«'(^'0-e(i) 

(c) V(s, t) e S xT : w{s, t)>0^ sTZt. 

2. Let Z\, be distributions over 5 and TZ be an equivalence relation. Then 
All'' O iS A{C) = 0(C) for all equivalence classes C e 5•/7^, where Z\(C) 
stands for the accumulated probability X]sec^('*)' 

Proof. See Proposition 2.3 in [5]. D 

In a similar way, following 18|, we can lift a relation TZ C S x ViT) to a relation 
Te'f C V{S) X V{T), by letting ATV O whenever 

1. A — J2i£iPi ■ ^' where / is a countable index set and J2i£iPi — ^ 

2. for each i e / there is a distribution ©i such that Si TZ 0i 

The above lifting constructions satisfy the following two useful properties, 
whose proofs are easy, so we omit them. 

Proposition 2. Suppose TZ'ZSxSorSx T>{S) and ^ifzjPi — 1. Then 

1. A, 7^^ 0, for alliel implies (E,g/P« ' ■^«) ^^ (E^G/P« ' ^0- 

2. If {J2ieiPi ■ ^0 ^^ ^ then — J^ieiPi ' ^i for some set of distributions 
0^ such that A, TZ^ 0^ for all i G /. D 

We write s — > A if either s — > Z\ or Z\ = s, and s — > Z\ iff s — > A for 
a G Act. For any a G Actr, we know that — > C 5 x T>{S), so we can lift it to be 
a transition relation between distributions. With a slight abuse of notation we 
simply write A -^ for A (— ^) 0- Then we define weak transitions =%> by 
letting => be the reflexive and transitive closure of — > and writing A =^ 
for a G Act whenever A =^ — >=^ 0. 

Definition 3. A divergence is a sequence of states st and distributions At with 
Si — > Ai and s^+i G [Z\i] for i > 0. 

The above definition of =^ is sensible only in the absence of divergence. In 
general, one would need a more complicated notion of =^, such as proposed in 
[?!. Therefore, from here on we restrict attention to divergence-free pLTSs. 

Definition 4. A relation 7?. C 5 x 5 is a strong probabilistic simulation ii s TZ t 
and a G Act-r implies 
— if s — ^ A then there exists some such that t -^ and ATZ* 

If both TZ and 7^~^ are strong probabilistic simulations, then 72. is a strong proba- 
bilistic bisimulation. A state s is related to another state t via strong probabilistic 
similarity (resp. bisimilarity) , denoted s ^ t (resp. s ^ t)^ if there exists a strong 
probabilistic simulation (resp. bisimulation) TZ such that sTZt. Weak probabilis- 
tic similarity {'^) and weak probabilistic bisimilarity (k.) are defined in the same 
manner just by using t =^ in place of t — > 0. 
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All four (bi) simulations above stem from |30|29] . There they were proposed as 
improvements over the strong bisimulation of |12j and the strong simulation 
of T6', both of which can be defined as the strong probabilistic (bi)siniulation 
above, but using t — > in place of t — > O. Other definitions of simulation 
have also appeared in the literature. Here we consider two typical ones: forward 
simulation |29j and failure simulation [6]. 

Definition 5. A relation TZ C S x T>{S) is a failure simulation ii s TZ implies 

1. if s ^ zi with a e Actr then 30' such that 0^0' and AU'' 0'; 

2. if s 4^ with A C Act then 30' such that 0^0' and 0' 4^. 
We write s <ipg if there is some failure simulation TZ such that s TZ 0. 

Similarly, we define a forward simulation and s <, by dropping the second 
clause in Definition [S] 

Lemma 1. Let TZ E {«, ;<, O,, O^j.,.}. 

1. If A TZ^ and A ^ A' then 30' such that 0^0' and ATZ^ 0' . 

2. If ATZ^ and A ^ A' then 30' such that 0^0' and ATZ^ 0' . 

If TZ E {^^ -<}, the first result applies as well, but with — > instead of =^. 

Proof We start with the cases that TZ^^ or TZ^;<. Let ATZ^ and A -^^ A'. 
The latter means that A = '^i^jPi-Si, A' — J2i£iPi''^i ^'^"^ ** — ^ ^i ^o^ * ^ ^■ 
Since A TZ' 0, we have = Yli^iPi ' 6'i with JlTZ^ 0i, using Proposition [2j2). 
Therefore, for each iG I and t G \0i] , we have Si TZ t, and hence there is some 
O't with t^ 0't and A'^ 7^^ 0'^. Let 0'^ := J2t 6'i(i) ■ ©t- Then 0, =U 0'^ and 
Z\^ TV 0'^, using Lemma 6.6 from |S], which is Proposition [21 1) but with =^ 
instead of 7^^ Let 0' := T,,^i Pi ■ 0i- Then J=^ 0' and A' TZ^ 0' , again by 
Lemma 6.6 of 8 . 

The first statement, and its proof, also hold with — > instead of — >. From 
this, the second statement follows by transitivity. 

The cases that TZ — O, or TZ ~ <\j,^ proceed likewise, except that the two 
sentences starting with "Therefore" are replaced by: 

Therefore, for each i G / there are some index set Ji and probabilities pij such 
that XliGJ Pi] ~ ^ ^^'^ ^* ~ ^i6j Pij ■ ^ij with Si TZ 0ij for all j £ Jj, and 
hence there are 0^ with 0,^ ^ 0^ and A'^ 7^^ 0^. Let 0', := Y.JP^3 ■ <?„• 

The proof for 7t = '^ or 7?. = -< goes as for ??. = «, with — > replacing ^=>. D 



3 The Probabilistic Modal mu-Calculus 

Let Var be a countable set of variables. We define a class U'™ of modal formulae 
by the following grammar: 

<fi:= /\'fi,.\\/ (Pt\^(p\ {a)ip I [a]ip \ ^ ^i l^Pi-fi \ i(p \ X \ fiX.ifi \ vX.ip 
iei iei iei iei 
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where / is an index set, a G Act^ and "^^^jPi — 1- The probabilistic modal mu- 
calculus (pMu) is given by the subclass C, obtained by imposing the syntactic 
condition that in fiX.ip and uX.Lp the variable X may occur in Lp only within the 
scope of an even number of negations. The above syntax is obtained by adding 
a variant of the probabilistic construct ©jg/Pi • ^Pi, introduced in [6] in the 
context of a less expressive logic without fixpoint operators, as well as the novel 
modalities ® jg/ '^i and \rLp, to the syntax of the non-probabilistic mu-calculus 
[T5] . As usual, one has Ai60 fi = true and Vie0 'fi = false. 

The two fixpoint operators jiX and vX bind the respective variable X. We 
apply the usual terminology of free and bound variables in a formula and write 
fv{ip) for the set of free variables in ip. A formula ip is closed ii fv{ip) — 0. 

For any set i7, write J'(f2) for the power set of H. We use environments, 
which bind free variables to sets of distributions, in order to give semantics to 
formulae. Let 

Env = {p I p : Var -> T(2?(5)) } 

be the set of all environments and ranged over by p. For a set V C 'D{S) and a 
variable X € Var, we write p[X i— > V] for the environment that maps X to ^ 
and Y to p{Y) for aU Y ^X. 

The semantics of a formula (p in an environment p is given as the set of 
distributions {(pjp satisfying it. This leads to a semantic functional []:£—>• 
Env — > J'(2?(5')) defined inductively in Table [1] As the meaning of a closed 
formula ip does not depend on the environment, one writes {ipj for l^pjp where p 
is an arbitrary environment. In that case one also writes A \= ip for A G |(/p]. 



IA,6/ V^ip 


- ag/b«ip 


so Itrue]p = V{S) 


Niei'P^ip 


= Ue/b«lp 


so |false]p = 


h^lp 


= ns) \ Mp 




liaMp 


= {AeV{S) 


3A' -.A^A' A A' e Mp } 


llaMp 


= {AeV{S) 


^A' -.A^A' ^ A' e Mp } 


^®^eIV4p 


= {AeV{S) 


A Vie J: A,e Mjp} 


[©,g/P»-¥'i]p 


= {AeV{S) 


A^Y.r^^p,-A, A^iei: A^eMJp} 


IMp 


= {AeV{S) 


ys€\A]:s€ Mp } 


IXjp 


= P(X) 




IpX.ipjp 


-^{V^V{S 


Mp[x^v]^V} 


li^X.ipjp 


= V}{v^v(s 


MpIx^v]^V} 


I(fl>^]p 


= {AeV{S) 


3A' -.A^A' A A'€ Mp } 


{[o-Mp 


= { Zi G V{S) 1 


WA' -.A^A' ^ A' e Mp } 



Table 1. Strong and weak semantics of the probabilistic modal mu-calculus 



Following [18128) we give a strong and a weak semantics of the probabilis- 
tic modal mu-calculus. Both are the same as those of the modal mu-calculus 
|18|28] except that distributions of states are taking the roles of states. The 
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power set of T>{S), J'(X'(5)), may be viewed as the complete lattice (J'(23(5')), 
"^{S), 0, ^, U, n). Intuitively, we identify a formula with the set of distributions 
that make it true. For example, true holds for all distributions and dually false 
holds for no distribution. Conjunction and disjunction are interpreted by inter- 
section and union of sets, and negation by complement. The formula {a)ip holds 
for a distribution A if there is a distribution A' that can be reached after an 
a-transition and that satisfies ip. Dually, [a\ip holds for A if all distributions reach- 
able from A by an a-transition satisfy ip. The formulas ®jg/ ^Pi and ©jg/Pi • ^Pi 
hold for A if the distribution can be decomposed into a convex combination of 
some distributions Ai and each of them satisfies the corresponding sub-formula 
(fi ; the first of these modalities allows any convex combination, whereas the sec- 
ond one specifies a particular one. The formula ^.ip holds for A if all states in its 
support satisfy ip. The characterisation of the least fixpoint formula ^X.ip and 
the greatest fixpoint formula vX.ip follows from the well-known Knaster-Tarski 
fixpoint theorem |32j . 

The weak semantics reflects the unobservable nature of internal actions; it 
differs from the strong semantics only in the use of the relations ==> instead of 
— > in the interpretation of the modalities (a) and [a] . 

Note that there is some redundancy in the syntax of pMu: each of the con- 
structs A,;e/i ('^) ^^d /^ can be expressed in terms of its dual Vie/i W] ^'^d v 
with the aid of negation. However, negation may not be redundant, as the dual of 
®i^iPi ' Vi does not appear to be expressible without using negation; moreover 
this dual lacks the intuitive appeal for introducing it as a new primitive. 

We shall consider (closed) equation systems of formulae of the form 

E:Xi=ipi 

where Xi, ..., Xn are mutually distinct variables and (pi, ..., (/?„ are formulae hav- 
ing at most Xi, ...,Xn as free variables. Moreover, each occurrence of 

Here E can be viewed as a function E : Var —^ C defined by E{Xi) — ipi for 
1 = 1, ..., n and E{Y) = Y for other variables Y G Var. 

An environment p is a solution of an equation system E if its assignment to 
Xi coincides with the interpretation of ipi in the environment, that is, 



V* : p{X,) = 1^4 



p- 



The existence of solutions for an equation system can be seen from the following 
arguments. The set Env, which includes all candidates for solutions, together 
with the partial order C defined by 

p\Zp' iSyX e Var : p{X) C p'{X) 

forms a complete lattice. The equation functional Te '■ Env -^ Env given in the 
notation of the A-calculus by 

Te :- \p.\X.\E{X)}p 
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Rule 1: E ^ F 
Rule 2: E ^G 
Rule 3: E^H iiX„ 0/^(<^i, ..., vp„) 



E: Xi = V5i F: Xi = ^i 


G: Xi = ^i[<^„/X„] 


H : Xi 


= fl 


Xn-l ~ (fn-l Xn-1 = Ifin-l 


Xn-l = ipn-l['Pn/Xn] 


Xn-l 


= ^n-1 


X„ — (p„ X„ = l'X„..(fin 


X„ = (fin 







Table 2. Transformation rules 



is monotonic, which can be shown by induction on the structure of E{X). Thus, 
the Knaster-Tarski fixpoint theorem guarantees existence of solutions, and the 
greatest solution 

i^e:^\J{p\ P^^Eip)} (1) 

is the supremum of the set of all post-fixpoints of Te- 

An expression ve{X), with X one of the variables used in E, denotes a set 
of distributions. Below we will use such expressions as if they were valid syn- 
tax in our probabilistic mu-calculus, with |!^£;(X)]p :— ve{X). This amounts to 
extending the greatest fixpoint operator v to apply to finite sets of fixpoint equa- 
tions, instead of single equations; the expression vX.Lp amounts to the special 
case ve{X) in which E consists of the single equation X = Lp. 

The use of expressions ve{X) is justified because they can be seen as syntactic 
sugar for authentic pMu expressions. As explained in ^5], the three transfor- 
mation rules in Table [5] can be used to obtain from an equation system E a 
pMu formula whose interpretation coincides with the interpretation of Xi in the 
greatest solution of E. 

Theorem 1. Given a finite equation system, E that uses the variable X , there 
is a pMu formula ip such that ve(X) = lipj. D 

4 Characteristic equation systems 

Following [31] , the behaviour of a finite-state process can be characterised by an 
equation system of modal formulae. In the current section we show that this idea 
also applies in the probabilistic setting. For each behavioural relation TZ over a 
finite state space, ranging over the various simulation preorders and bisimulation 
equivalences reviewed in Section [5J we establish an equation system E of modal 
formulae in pMu. 

E : Xsi = ips^ 



Xs„ = <y5s 



There is exactly one such equation for each state Si, and the formulae ips^ do not 
contain fixpoint operators. This equation system is guaranteed to have a greatest 
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solution ue which has the nice property that, for any states s, t in the state space 
in question, s is related to t via TZ if and only if the point distribution t belongs 
to the set of distributions assigned to the variable Xg by ve- Thus ve{Xs) is a 
characteristic formula for s w.r.t. TZ in the sense that s TZtiS.t satisfies ve{Xs). 

Strong probabilistic bisimulation The key ingredient for the modal charac- 
terisation of strong probabilistic bisimulation is to construct an equation system 
that captures all the transitions of a pLTS. For each state s we build an equation 
Xg — if a , where Xs is a variable and ips is of the form tp'^ A ip'g with tp'^ a formula 
describing the actions enabled by s and ip'^ a formula describing the consequences 
of performing these actions. Intuitively, if state s is related to state i in a bisim- 
ulation game, then ip'^ expresses the transitions that should be matched up by t 
and if'g expresses the capability of s to match up the transitions initiated by t. 
More specifically, the equation system is given by the following definition. 

Definition 6. Given a pLTS, its characteristic equation system for strong prob- 
abilistic bisimulation consists of one equation Xs = ips ioi each state s € S where 

ips-.^i /\ {a)X^) A ( /\ [a] X^) ' (2) 

withX4:=0^gp^^Z\(s)-;X,. 

The equation system thus constructed, interpreted according to the strong se- 
mantics of pMu, has the required property, as stated by the theorem below. 

Theorem 2. Let E he the characteristic equation system for strong probabilistic 
bisimulation on a given pLTS. Then, for all states s and t, 

1. s TZ t for some strong probabilistic bisimulation TZ if and only iftG pi^s) 
for some post-fixpoint p of Te ■ 

2. In particular, s '^ t if and only ift£ \ve{Xs)\, *-e., VEi^s) is a character- 
istic formula for s w.r.t. strong probabilistic hisimilarity. 

Proof. Let E be the characteristic equation system for strong probabilistic bisim- 
ulation on a given pLTS. We only consider the first statement, from which the 
second statement follow immediately. 

(-^) For this direction, assuming a post-fixpoint p of Te, we construct a 
probabilistic bisimulation relation that includes all state pairs (s, t) satisfying 
t e p{Xs). Let 7^= { (s, t) I t e p{Xs) }. We first show that 

O e (XaIp implies A 7^^ O. (3) 



^ The subformula © a . Xa is equivalent to V- " a Xa , and this is the form that 
we use to prove Theorem [21 If the given pLTS has nondeterministic choices among 
different transitions labelled with the same action, this disjunction is infinite. For 
example, if s — >■ s7 for i — 1,2, then s — > Ap, where Ap = p-'sT+ (1— p) -si, for any 
p G [0, 1]. The set {Ap \ p £ [0, 1]} is uncountable, though it is finitely generable, as 
the convex closure of the two-element set {Aq, Ai}. The formula © o a Xa exploits 
that fact to bypass the infinite disjunction; this formula is finite if the underlying 
pLTS is finitary. 
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Let Xa = ®teiPi ■ i^si, so that A = Y^ieiP^ ' ~i- Suppose O ^e {X^lp- We 
have that O ~ J2iei Pi ' ^* ^^^^' ^'^'^ aU i S / and aU t S [6*.^] , that t G [X^Jp, i.e. 
Si TZ t. It follows that s7 7?.^ 0^ and thus A Tc 0, using Proposition [5Jl). 
Now we show that 7^ is a probabilistic bisimulation. 

1. Suppose s TZt and s -^ A. Then t g p(Xs) C |(^slp- It follows from ([2]) that 
t G |(a)Xzi]p. So there exists some such that t — 5- and E l-'^zilp- 
Now we apply (|31). 

2. Suppose sTZt and i -^ 0. Then Z e p(Xs) C |(^s]p. It follows from ^ that 
t G I [a] Vs^^/i -^/il- Notice that it must be the case that s -^, otherwise, 
t G |[a]f alsejp and thus t — y^, in contradiction with the assumption t — > 0. 
Therefore, G [V- '^yA-^-^lp- which implies G l^zilp for some A with 
s — > A. Now we apply ([3]). 

(=>) Given a strong probabilistic bisimulation TZ, we construct a post-fixpoint 
of J^E such that whenever s TZt then i falls into the set of distributions assigned 
to Xs by that post-fixpoint. We define the environment p-jz by 

PniXs):^{t \ sTZt} 

and show that p-ji is a post-fixpoint of Te, i-e. 

PTC E ^E{pn)- (4) 

We first show that 

Z\ Tet 6* implies 6) G |Xzi]p^. (5) 

Suppose A TZ'^ 0, we have that (i) A = J2ieiPi ' ^' (ii) ^ = J2ieiPi ' **> (iii) 
Si TZ ti for all i G /. We know from (iii) that ti G iXsJp^ and thus ti G [4,XsJp^. 
Using (ii) we have that G |®ig/Pi-i-'^sJpTC- Using (i) we obtain G [X/ilpR- 
Now we are in a position to show (U). Suppose t G pTi{Xs). We must prove 
that i G [</'s]pTC> i-e- 

teif] l{a)x^lpjn{ fl [[a] V XaU) 

by ([2]). This can be done by showing that t belongs to each of the two parts of 
the outermost intersection. 

1. Assume that s — > A for some a G Act^. and A G T){S). Since s TZt, there 
exists some such that t — > and A TZ^ 0. By ([5]), we get G l-'S^zilpTi- 
It follows that t G |(a)Xzi]p^. 

2. Let aGAc^T- Whenever t — > 6*, then by s ?<!. i there must be some A 
such that s -^ A and A TZ^ 0. By ^, we get G |Xzi]ptc and thus 
G [Vs^zi ^zijp^ . As a consequence, i G |[a] Vs^zi ^^Ipk - ° 
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Strong probabilistic simulation In a simulation game, if state s is related 
to state t, we only need to check that all transitions initiated by s should be 
matched up by transitions from t, and we do not care about the inverse direction: 
the capability of s to simulate t. Therefore, it is not surprising that characteristic 
equation systems for strong probabilistic simulation are defined as in Definition[6] 
except that we drop the second part of the conjunction in ([2]), so ips takes the 
form 

<fs :- /\ {a)XA (6) 

With this modification, we have the expected property for strong probabilistic 
simulation, which can be shown by using the ideas in the proof of Theorem [21 
but with fewer cases to analyse. 

Weak probabilistic bisimulation Characteristic equation systems for weak 
probabilistic bisimulation are defined as in Definition [6] except that the weak 
semantics of pMu is employed and fs takes the form 

v.. := ( A («)^^) A ( A [«] V ^^) ' (7) 

With the above modifications, we have the counterpart of Theorem [21 with a 
similar proof. 



Weak probabilistic simulation Characteristic equation systems for weak 
probabilistic simulation are in exactly the same form as characteristic equa- 
tion systems for strong probabilistic simulation (cf. ([6|)), but using the weak 
semantics of pMu. 

Forward simulation Characteristic equation systems for forward simulation 
are in the same form as characteristic equation systems for weak probabilistic 
simulation, but with X/^ := ®ggr^] ^(s) ' Xs, i.e. dropping the J,. 

Failure simulation To give a modal characterisations for failure simulation we 
need to add modal formulae of the form ref{A) with A C Act, first introduced 
in [6], to pMu, with the meaning given by 

[ref (A)]p = {Ae V{S) \ 3A' : A ^ A' A A' ^} 

The formula ref (A) holds for A if by doing internal actions only A can evolve 
into a distribution such that no state in its support can perform an action from 



^ Using results from Markov Decision Processes [57], in a finitary pLTS also this 
infinite disjunction can be expressed as finite convex combination; however, we will 
not elaborate this here. 
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A U {t}. This time ips takes the form 

^' ■" 1 (A.^4(a)^4) A ref ({ a \ s ^}) otherwise ^^> 

with Xa '■— ®serzil ■^(*) ' -^s- Inspired by [6|, here we distinguish two cases, 
depending on the possibihty of making an internal transition from s. 

In summary, we have the foUowing property. 

Theorem 3. Let E^ be the characteristic equation system for strong probabilis- 
tic simulation on a given pLTS. Let E~ (E^,E^ ,,E^ ,, respectively) be the 
characteristic equation system for weak probabilistic bisimulation (weak prob- 
abilistic simulation, forward simulation, failure simulation, respectively) on a 
given divergence-free pLTS. Then, for all states s, t and distributions 0, 

1. s TZ t for some strong probabilistic simulation (weak probabilistic bisimula- 
tion, weak probabilistic simulation, respectively) TZ if and only iftG p{Xs) 
for some post-fixpoint p of J-e^ (-^E-, ^e^) respectively). 

2. s TZ for some forward simulation (failure simulation) TZ if and only if 
e piXs) for some post-fixpoint p of Te^^ (J^e^^J- 

3. In particular, 

(a) s ^ t if and only iftG [vE^iXs)}. 

(b) s « i if and only iftG {^e- {^s)}- 

(c) s ;<t if and only ift£ [I'E^iXs)]. 

(d) s <lp, if and only if eJ^E^JiXs)]. 

(e) s <\ps 6* if and only if & liyE^^,,iXs)]. □ 

We can also consider the strong case for <ig and O^, by treating r as an external 
action, and give characteristic equation systems. In the strong case for <ij,^ only 
the "otherwise" in ^ applies, with ref (A) represented as /\^g^[a]f alse. 

5 Modal characterisations 

In the previous sections we have pursued logical characterisations for various 
behavioural relations by characteristic formulae. A weaker form of characterisa- 
tion, which is commonly called a modal characterisation of a behavioural rela- 
tion, consists of isolating a class of formulae with the property that two states 
are equivalent if and only if they satisfy the same formulae from that class. 

Definition 7. Let ^ft be simply the class C of modal formulae defined in Sec- 
tion [21 equipped with the strong semantics of Table [1] With £(^ we denote the 
fragment of this class obtained by skipping the modalities -> and [a] . The classes 
C~ and C'f, are defined likewise, but equipped with the weak semantics. More- 
over, C'^ Ts the fragment of £^ obtained by skipping -I, and £^ , is obtained 
from C'^ , by addition of the modality rei{A). 

In all cases, dropping the superscript p denotes the subclass obtained by 
dropping the variables and fixpoint operators. 

For 7?.g{~,^,«,;:<,<s, <l^J '^e '^'rite A^i^0 just when /ie|<^l ^ £lipj 
for all closed (p G £f^, and A Q-jz just when Z\ e|t/3] =^ g|v3| for all ip £ C-jz. 
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Note that the relations C^, Eii, E^ and C- are symmetric. For this reason we 
will employ the symbol = instead of C when referring to them. 

We have the following modal characterisation for strong probabilistic bisimi- 
larity, strong probabilistic similarity, weak probabilistic bisimilarity, weak prob- 
abilistic similarity, forward similarity, and failure similarity. 

Theorem 4 (Modal characterisation). 

Let s and t be states in a divergence-free pLTS. 



1. 


S r^t 


iff 


s=fi i 


iff 


S =r^ t. 


2. 


s <t 


iff 


sC^i 


iff 


s C^ t. 


3. 


s « t 


iff 


s=iit 


iff 


s=^t. 


4. 


S7<t 


iff 


sC^Z 


iff 


s C-<I 


5. 


s <,0 


iff 


-s^'Zo 


iff 


s ^Z ^■ 


6. 


s <i,, e 


iff 


^ ^'<:s ^ 


iff 


^ ^<.s ^ 



Note that s =it i => s ~ i is an immediate consequence of Theorem [2] From 
s ~ s we obtain s G |j^£;(Xs)]. Together with s =^ t this yields t G |i^£;(Xs)|, 
hence s ^ t. 

Proof. We only prove the first statement; the others can be shown analogously. 
In fact we establish the more general result that 

Z\ -^ 6) ^ A=^e ^ A=^e 

from which statement 1 of Theorem 2] follows immediately. The implication 
A ^'^ O =^ A =it expresses the soundness of the logic Lt w.r.t. the rela- 
tion ^\ whereas the implication A =^ ^ A ^'^ O expresses the completeness 
of Cr^ W.r.t. ^'^ . The implication A =it 6* => Z\ =r^ is trivial. 

(Soundness) An environment p : Var — > T(2?(5')) is called compatible with ^^ 
if for all X G Var we have that 

A^^ 0^{Ae p{X) ^0e p{X)). 

We will show by structural induction on ip that 

A^^0=>{Ae Mp ^0e Mp) 

for any environment p that is compatible with ^t_ gy restricting attention to 
closed (p this implies the soundness of Cit w.r.t. ^t_ 

- Let Z\ ~t e and Z\ G l{a)<fijp. Then A ^ A' and A' G Mp for some A'. 
By Lemma [TJ there is some 0' with — > 0' and A' ~^ 0' . By induction 
we have 0' G Ifjp, thus \= {a)<p. 

- Let Z\ ~1' 61 and Z\ G |[a]((5]p. Suppose -^ 0' . By Lemma[Tl and symme- 
try, there is a A' with A -^ A' and Z\' --'f 0'. As Z\ G l[a]'p\p it must be 
that A' G |(y5]p, and by induction we have 0' G \'p\p- Thus G |[a]((5]p. 

- Let Zi -t and A G |Aie/ '^^Ip- '^'^^^ ^ ^ I'^'Ip ^^"^ ^^^ i G J. So by induction 
G {ipilp, and we have 6> G [Aig/ <Pilp- 
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- The case A r^'' and A e [Vie/ V'^'Ip go'^s likewise. 

- Let Z\ ~t and A G [-iv?]. So Z\ ^ {ipj, and by induction (and the symmetry 
of ~t) we have 6> ^ |(^1. Thus e |^(/3]. 

- Let Z\ ^■f 6> and A e |0jgjPi • (Pijp. So A = Y^ieiPi ' ^« ^^'^ ^°^ ah i e / we 
have Ai e {(fiijp- Since Z\ ^^ 0, by Proposition[2lj2) we have = '}Zi£iPi''^i 
and Z\i '^'1' 0i. So by induction we have 0i€\ipi\p for ah i G /. Therefore, 
^ G [0ig7K • Vilp- The case A G 10^^/ (p^lp goes hkewise. 

- Let A r^'^ and A G lit^^Jp. So for all s G [Z\] we have s G |((9]p. From 
Z\ ^'1' (9 it follows that for each t G [0] there is an s G \A~\ with s ^ t, thus 
s ^'1' t. So by induction we have i G|((9]p for all t G [0] . Therefore, G lit^Jp- 

- Let Z\ -■!■ and Z\ G |X]p = p{X). Then G {Xjp because p is compatible 
with r^^ . 

- Suppose Z\ -t g) and ^ l^^X.^plp. Then 3y C 2?(S') with ^ V" and 
Mp[x^v] C V. Let V := {A' \ V0'.(Z\' -t g)' ^ q' (= p^)}. Then A ^ y'. 
It remains to show that |(/5lp[XK^y] ^ ^'i because this implies Z\ ^ |/iX.(/3]p, 
which has to be shown. 

So let A' G [ip]p[x^v']- Take any 0' with A' -^ 0'. By construction of V, 
the environment p[X H> y'] is compatible with ^t. Therefore, the induction 
hypothesis yields 0' G |(/3]p[Xh-i-y]- We have V C F, and as | ] is monotonic 
we obtain 0' G |(^]p[x^\/'] Q [iflpix^v] ^ V. It follows that A' G V^'. 

- Suppose Z\ -t and Zi G [i^^.^lp. Then 3^ C V{S) with Z\ G 1^ and 
Mp[x^y] 3 V. Let y := {0' | 3A' eV. A' ~t g)'}. Then G F'. It 
remains to show that |(,c]p[XH^y'] ^ V , because this implies G |z^X.(y5]p, 
which has to be shown. 

So let 0' ^ Iflpix^V']- Take any A' with zi' -t 0'. By construction of V, 
the environment p[X H> V^'] is compatible with r^'^ . Therefore, the induction 
hypothesis yields A' ^ ["ioIpIXh^v"]- We have V D V, and as 1 1 is monotonic 
we obtain A' ^ lfjp[x^v'] 3 [v]p[Xi-^v'] ^ V- It follows that 0' ^ T^'. 

(Completeness) Let 7?, = {(s,t) | s =^ i}. We show that 7?. is a strong prob- 
abilistic bisimulation. Suppose s TZ t and s — > A. We have to show that there 
is some with t — > and A 7?.^ 0. Consider the set 

r:={0|i^0A0 = ^ A{s') ■ 0,, A 3s' G \A'] , 3t' G [0,-1 : 7 ^^ F} 

For each <E T there must be some Sq G [Z\] and t'g, G \0s'_ ~\ and a formula (pe 
with s'g, 1= (fe but t^ ^ (^0. So s' |= AweTis' =s'} V(^ ^'^^ each s' G \A~\ , and for 
each G T with Sq = s' there is some t'^ G \0s'^ with t^ ^ A{©eT|s' =s'} 'P^- 
Let 

^:=(a) A{s')-i /\ ipe. 

s'e[A] {0(=T\s'^=s'} 

It is clear that s \= ip, hence t \= (p hy sTZt. It follows that there must be a 
0* with t -^ 0*, 0* = J2s'e\A-] ^(^0 ■ ^*s' and for each s'GrZ\], i'Gr0*,l 
we have t' |= A{eeT|s' =s'}'/'0- This means that 0* ^ T and hence for each 
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s' e lA] , t' e [0*,] we have s' =^ t', i.e. s'TZt'. Consequently, we obtain A Tl'' 0*. 
By symmetry all transitions of t can be matched up by transitions of s. D 

Modal characterisation of strong and weak probabilistic bisimulation has 
been studied in [26] . It is also based on a probabilistic extension of the Hennessy- 
Milner logic. Instead of our modalities and \. they use a modality [■]p. Intu- 
itively, a distribution A satisfies the formula [Lp\p when the set of states satisfying 
(/? is measured by A with probability at least p. So the formula [Lp\p can be ex- 
pressed by our logics in terms of the probabilistic choice 0,jg/Pi • '^i by setting 
I = {1, 2}, pi = p, p2 = 1— p, ^1 = i^, and (p2 = true. Furthermore, instead of 
our modality (a) , they use a modality ^a that can be expressed in our logic 
hy (c>a(p = {a)\.ip. We conjecture that our modalities (a) and cannot be ex- 
pressed in terms of the logic of [55] , and that a logic of that type is unsuitable 
for characterising forward simulation or failure simulation. 

When restricted to deterministic pLTSs (i.e., for each state and for each 
action, there exists at most one outgoing transition) , probabilistic bisimulations 
can be characterised by simpler forms of logics, as observed in [19110126] . 



6 Concluding remarks 

We have considered characteristic equation systems consisting of equations of 
the form Xg = 'fs where, for each refinement preorder we have characterised, ipa 
is displayed in Table [31 Although they are in similar forms, the interpretations 



■preorder 


•^s 


Xa 


strong prob. bis. 


(K 


_^Ja)XA) A (A.eActJ«] y^^^X^) 


®s&\A-] ^i^) ■ J-^s 


strong prob. sim. 


K,^^{a)X^ 


®se\A-] ^i^) ■ J-^s 


weak prob. bis. 


(K 


_^^(a)X^)A(A„eAct.HV^^^^4) 


®^^^^-^A{s)-iX, 


weak prob. sim. 


K,^^{a)X^ 


®se\A-] ^i^) ■ J'^'i 


forward sim. 


K,j^^{a)XA 


e.,r^i^(«)-^. 


failure sim. 


1(A,_ 


a^^(a)Xzi) A ref ({ a s —fr }) otherwise 


®^^^^^A{3)-Xs 



Table 3. Characteristic equation systems E : Xs = (^s 



of formulae {a)(p and [a]ip change from the strong to the weak case (Table [T]). 

For the strong and weak probabilistic (bi) simulation, we could also have 
used a state-based logic. To be precise, the modalities /\, \J , -i, /i and v would 
be interpreted on states rather than distributions, remains interpreted on 
distributions, (a) and [a] take a distribution-interpreted formula as argument 
and return a state-interpreted formula, and J, does just the reverse: 
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li'^Mp -- 


^{seS 


1 3Z\' 


: s 


-^A' 


A 


A' e 


Mp} 


IH^lp = 


= {seS 


1 Vzi' 


: s 


-^A' 


=> 


A' ( 


= Mp} 


IMp -- 


= {AeV 


(S) 1 


Vs 


e\A] 


s e 


M, 


} 



In fact, all our results and proofs are applicable to such a state-based logic, with 
no significant change. Now a treatment of the original strong bisimulation of |12) 
and the strong simulation of |16) proceeds exactly as this state-based treatment 
of strong probabilistic (bi)simulation, but using s rather than s in the definition 
of (a) and [a]. 

There are many other behavioural relations studied in the literature. It would 
be interesting to see if our approach of deriving characteristic formulae applies to 
some of them. For instance, probabilistic may and must testing preorders have 
a close relationship with forward and failure simulations respectively 16], so it 
appears promising to derive characteristic formulae for them. 

Another research direction is to exploit characteristic formulae for deciding 
probabilistic behavioural relations and compare it with other methods of decid- 
ing behavioural relations. 
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